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performed  a  review  and  analysis  of  the  product  along  with  tests  aimed 
at  insuring  the  quality  of  the  product,  but  does  not  warranty  or  make 
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user  and  any  potential  third  parties  accept  the  entire  risk  for  the 
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Distribution  and  Copyright 


This  software  package  and  documentation  is  subject  to  a  copyright. 

This  software  package  and  documentation  is  released  to  the  Public 
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INTERNET  PROTOCOL  SECURITY  OPTION  (IPSO) 
MIL-STD-1777  DRAFT  REVISION 
TRACEABILITY  MATRIX 


This  Traceability  Matrix  provides  information  on  the  derivation, 
organization,  and  function  of  tests  specified  for  IPSO  within  the 
Protocol  Test  system,  n 

i 

The  document  is  divided  into  four  sections: 


IPSO  TRACEABILITY  INDEX; 

IPSO  TEST  INDEX; 

IPSO  TEST  SCENARIOS  INDEX; 

IPSO  SCENARIOS  AND  TESTS  DESCRIPTIONS. 


IPSO  TRACEABILITY  INDEX:  IPSO  TEST  NUMBERS  VERSUS  IP  MIL-STD-1777 
SECURITY  OPTION  .  .  . 

The  table  indicates  the  cross-reference  between  the  Test 
Scenarios  and  the  applicable  section  in  MIL-STD-1777  and  the 
BLACKER  BFE  ICD  regarding  each  required  function,  operation, 
option,  mode,  response,  or  state. 


IPSO  TEST  INDEX:  IPSO  TEST  NUMBERS  VERSUS  THE  SECURITY 
REQUIREMENT  .  .  . 


The  table  shows  the  IP  Test  Numbers  that -may  be  regarded  as  the 
"principle  test"  for  each  requirement  of  the  IPSO. 
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IPSO  TEST  SCENARIOS  INDEX:  IPSO  TEST  SCENARIO  FILES  VERSUS  IPSO 
TEST  NUMBERS  .  .  . 

The  table  shows,  for  each  IPSO  Test  Number,  the  UNIX  file  names 
of  the  IPSO  Test  Scenario  Files  in  which  that  number  appears. 


IPSO  SCENARIOS  AND  TESTS  DESCRIPTIONS  .  .  . 

This  section  provides  a  brief  narrative  of  the  scope  and 
objectives  of  each  IPSO  Test  Scenario  File  and  an  operational 
description  of  each  IPSO  Test  Number. 


SECTION  1  -  IPSO  TRACEABILITY  INDEX 

IPSO  Test  Numbers  Versus  IP  MIL-STD-I777  Reference  Draft  Revised 
IP  Security  Option  or  Blacker  BFE  ICD  (March  6,  1985). 

The  table  indicates  the  cross-reference  between  the  IPSO  tests 
and  the  applicable  sections  of  either  the  Draft  Revised  Mil-Std- 
1777  or  the  Blacker  BFE  ICD. 


Reference 


Draft  Revised  IP  Security  Option 


9.3.15.3 

9.3.15.3.1 

9.3.15.3.2 

9.3.15.3.3 

9.3.15.3.4 

9.3.15.4 


DoD  Basic  Security 
DoD  Basic  Security  Length 
Class.  Protection  Level 
Protection  Authorities 
Usage  Rules 

Extended  Security  Option 


Test  Number 


1,  2,  4 
2 

1  r  5 

1,  6,  7 
1,  5,  7 
3 
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SECTION  2  -  IPSO  TEST  INDEX 
IPSO  Test  Numbers  Versus  the  Security  Requirement. 


The  table  shows  the  IPSO  Test  Numbers  that  may  be  regarded  as  the 
"principle  tests"  for  each  requirement  on  IP  security. 


Test  Number 


Purpose 


1 

2 

3 

4 

5 

6 
7 


Basic  Security  Option  and  Accreditation 
Validation 

Basic  Security  Option  Detection  and  Syntax 
Validation 

Extended  Security  Option  Detection  and  Syntax 
Validation 

Correct  Security  Labeling  in  All  Fragments 
Correct  Security  Usage 
Correct  Accreditation  Usage 
Variable  Length  Accreditation  Mask 


SECTION  3  ~  IPSO  TEST  SCENARIOS  INDEX 
IPSO  Test  Scenario  Files  Versus  IPSO  Test  Numbers. 


Test  Number 


Scenario  Name 


1 

2 

3 

4 

5 

6 
7 


IPSO 

IPSO 

IPSO 

IPSO 

IPSO 

IPSO 

IPSO 
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SECTION  4  -  IPSO  SCENARIOS  AND  TESTS  DESCRIPTIONS 

This  section  provides  a  brief  narrative  of  the  scope  and 
objectives  of  each  IPSO  Test  Scenario  File  and  a  narrative  of 
each  individual  test  in  that  scenario. 


Scenario  IPSO 

Scenario  IPSO  evaluates  an  IUT's  general  conformance  to  the  Draft 
IPSO  Addendum  of  Mil-Std-1777  on  IP  Security.  Scenario  IPSO  will 
validate  the  presence  of  fields  and  the  correctness  of  the  syntax 
in  the  option. 

Test  1:  BASIC  SECURITY  OPTION  AND  ACCREDITATION  VALIDATION 


The  IUT  should  accept  only  IP  datagrams  with  the  single 
classification  for  which  it  has  been  accredited.  The 
accreditation  agen .  /  is  denoted  by  the  accreditation  mask 
accompanying  the  classification  parameter.  Therefore,  the 
classification  and  accreditation  mask  on  system-high  hosts  form  a 
unique  filter  for  incoming  IP  datagrams.  Also,  multilevel  secure 
hosts  can  only  have  a  single  classification  for  a  given  line,  so 
the  same  test  will  work  for  multilevel  hosts  on  a  line-by-line 
test  basis. 

-  Action:  The  Central  Driver  will  send  all  possible 

combinations  of  classification;  and  accreditations 

mask  and  record  the  response  to  each  request. 

-  Verification:  Only  one  datagram  should  reach  the  Remote 

Driver,  and  that  one  should  be  echoed  back. 

-  Success:  One  IP  datagram  is  generated  by  the  IUT  with 

the  IUT's  accredited  classification. 

-  Failure:  None  of  the  datagrams  generate  a  response. 
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Test  2:  BASIC  SECURITY  OPTION  DETECTION  AND  SYNTAX  VALIDATION 


Does  the  IUT  send  only  one  Basic  Security  Option  (BSO)  per  IP 
Datagram  (i.e.,  option  type  130)?  Is  the  format  of  that  packet 
correct? 


-  Action:  Remote  Driver  returns  an  IP  datagram  with  the 
security  option  specified  correctly. 


-  Verification: 


-  Option  type  =  130  decimal. 

-  Length  is  consistent  with  option  length. 

-  Classification  should  be  identical  with  packet 

sent  from  reference. 

-  Authority  flags  set  equal  to  specified  codes. 

-  Only  one  option  type  130  is  present. 


-  Success:  All  of  the  verification  criteria  are  met. 


-  Failure:  Either  a  verification  criterion  is  incorrect  or 
more  than  one  option  type  130  is  located. 


Test  3:  EXTENDED  SECURITY  OPTION  DETECTION  AND  SYNTAX  VALIDATION 

If  the  IUT' s  datagram  contains  an  extended  security  option 
(option  type  133),  is  the  format  of  the  packet  correct? 

-  Action:  Remote  Driver  returns  an  IP  datagram  with  the 

extended  security  option  specified. 

-  Verification:  Option  type  =  133  decimal. 

-  Success:  Option  is  located. 

-  Failure:  Not  applicable. 
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Test  4:  CORRECT  SECURITY  LABELING  OF  ALL  FRAGMENTS 


If  the  IUT  fragments  an  IP  datagram,  it  must  place  the  Basic 
Security  Option  (BSO)  in  all  packets. 

-  Action:  Remote  Driver  is  requested  to  send  continuously 

larger  data  segments  in  an  effort  to  force  the  IP 
IUT  to  fragment  the  datagram. 

-  Verification:  Basic  option  type  130  must  be  located  in 

all  fragments  with  a  consistent  specification 
for  the  security. 

-  Success:  All  fragments  contain  the  BSO  and  all  fragments 

have  the  same  level. 

-  Failure:  A  fragment  that  is  found  without  the  BSO  or  the 

value  of  the  classif ication  is  not  consistent. 


TEST  5:  CORRECT  SECURITY  USAGE 


Continuously  increase  the  security  classification  of  IP  datagrams 
that  the  Remote  Driver  is  asked  to  set  in  the  echo  packet. 

-  Action:  Central  Driver  will  send  valid  IP  datagrams 

requesting  the  Remote  Driver  to  generate  IP 
datagrams  with  increasing  security  classification. 
The  accreditation  authority  will  be  held  constant. 

-  Verification:  The  Central  Driver  will  log  the  classifica¬ 

tion  setting  and  the  result  from  the  IUT. 

-  Success:  Only  datagrams  with  the  accredited  securi  ty 

classification  should  be  returned. 

-  Failure:  Datagrams  at  different  security  levels  are 

returned . 
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TEST  6:  CORRECT  ACCREDITATION  USAGE 


The  IUT  IP  should  send  datagrams  with  only  one  accreditation 
mask . 


-  Action:  A  series  of  datagrams  are  sent  to  the  IUT's 

Remote  Driver  requesting  that  the  accreditation 
mask  be  set  to  a  different  but  valid  combination 
in  each  datagram.  Each  datagram  will  contain  an 
IP  Remote  Driver  command  to  echo  back  the 
datagram. 

-  Verification:  The  Central  Driver  will  log  the 

accreditation  mask  that  is  sent  and  the 
response,  if  received. 

-  Success:  Only  one  accreditation  mask  will  be  received. 

-  Failure:  Different  accreditation  masks  are  received. 


TEST  7:  MULTIPLE  LENGTH  ACCREDITATION  MASK 


The  IPSO  Addendum  allows  for  a  multi-octet-length  Accreditation 
mask,  even  though  it  specifies  only  a  single  octet  at  the  present 
time.  This  test  will  observe  the  IUT's  handling  of  a  multi-octet 
accreditation  option. 

-  Action:  The  reference  will  send  a  valid  IP  datagram  with 
a  multi-octet  accreditation  field.  The  field  will 
be  syntactically  correct,  specifying  only  the 
proper  accreditation  entities.  A  second  datagram 
will  be  sent  with  a  multi-octet  accreditation 
field  that  is  syntactically  incorrect.  Again,  the 
Remote  Driver  will  be  asked  to  echo  back  the 
datagram . 

Verification:  The  reference  should  receive  and  log  the 
datagram's  echo. 


Success:  A  receipt  of  an  echo  for  the  first  datagram. 
Failure:  A  receipt  of  an  echo  for  the  second  datagram. 


